LDAP authentication for SSL VPN with FortiAuthenticator

This recipe describes how to set up FortiAuthenticator to function as an LDAP server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the LDAP server on the FortiAuthenticator, and then configuring the FortiGate to use the FortiAuthenticator as an LDAP server.

1. Creating the User and User Group on FortiAuthenticator

From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New.

Enter a name for the user (in the example, jgarrick), enter and confirm a password, and be sure to disable Allow RADIUS authentication — RADIUS authentication is not required for this recipe.

Set Role as User, and select OK. New options will appear.

Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.

Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group.

2. Creating the LDAP Directory Tree on FortiAuthenticator

Go to Authentication > LDAP Service > Directory Tree, and create a Distinguished Name (DN) (in the example, dc=fortinet,dc=com). A DN is made up of Domain Components (DC).

Both the users and the user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP Directory Tree.

Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for each user.

If you mouse over one of the users, you will see the full DN of the LDAP server.

Later, you will use jgarrick on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and you will use bwayne credentials to connect to the VPN tunnel.

3. Connecting the FortiGate to the LDAP Server

From the FortiGate GUI, go to User & Device > Authentication > LDAP Servers, and select Create New.

Enter a name for the LDAP Server connection.

Set Server IP/Name as the IP of the FortiAuthenticator, and set the Common Name Identifier as uid.

Set the Distinguished Name as dc=fortinet,dc=com, and set the Bind Type to Regular.

Next, enter the User DN of the LDAP server, and enter the Password.

The User DN is an account that the FortiGate uses to query the LDAP server.

Select Fetch DN to determine a successful connection. If successful, a dropdown menu will appear showing the LDAP Tree, dc=fortinet,dc=com.

4. Creating the LDAP User Group on the FortiGate

Go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.


Select LDAPserver under the Remote Server dropdown.

In the new Add Group Match window, select HeadOffice under the Groups tab, and select Add Selected, then click OK.

LDAPserver has been added to the LDAP group.

5. Configuring the SSL VPN

From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

Select the prompt at the top of the screen to create a new SSL-VPN policy.

Set Source User(s) to the LDAPgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

6. Results

From a remote device, access the SSL VPN Web Portal.

Enter valid LDAP credentials (in the example, bwayne).

‘bwayne’ is now successfully logged into the SSL VPN Portal.

From the FortiGate GUI, go to VPN > SSL > Monitor to confirm the connection.


In the example, uid=jgarrick,cn=HeadOffice,ou=techdoc,dc=fortinet,dc=com
If you select Test, it should show that the connection is Successful, however this is a false declaration. Only selecting Fetch DN will determine a successful connection.